[Openid-specs-ab] Some feedback on OpenID Connect spec family

Mike Jones Michael.Jones at microsoft.com
Wed Jul 13 18:33:54 UTC 2011


Agreed.  One of the principles of this work has been that all data structures use JSON representations.

				-- Mike

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Breno de Medeiros
Sent: Wednesday, July 13, 2011 11:10 AM
To: Andrew Arnott
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Some feedback on OpenID Connect spec family

On Wed, Jul 13, 2011 at 07:40, Andrew Arnott <andrewarnott at gmail.com> wrote:
> I'm glad to hear there are safe ways to parse JSON.  Perhaps pointing 
> this out in the security considerations section is all that is necessary.

+1

Agree it is an important security topic to discuss, but would prefer not to add support for alternative format to JSON since JSON is so baked-in into OAuth2.

> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the 
> death your right to say it." - S. G. Tallentyre
>
>
> On Wed, Jul 13, 2011 at 7:06 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>>
>>
>> On Wed, Jul 13, 2011 at 10:41 PM, Andrew Arnott 
>> <andrewarnott at gmail.com>
>> wrote:
>>>
>>> On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>>>
>>>> On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott 
>>>> <andrewarnott at gmail.com>
>>>> wrote:
>>>>>
>>>>> Some questions, or suggestions regarding the spec...
>>>>>
>>>>> Core
>>>>> Section 4.
>>>>> Why are UserInfo endpoint responses receivable in JSON?  If it's 
>>>>> to make javascript client code easier, then you're encouraging 
>>>>> using "eval" to execute arbitrary code from an untrusted server.  
>>>>> Query string syntax would protect against this, and is at least as 
>>>>> friendly to web servers as JSON is.
>>>>
>>>> It was following OAuth's pattern of getting the response back in 
>>>> JSON as well as following Facebook Graph API.
>>>> Perhaps it is better to define a Query string version of response 
>>>> for the implicit flow. Opinions? > Connectors.
>>>>
>>>> I don't know that having a key value form encoding of the User info 
>>>> endpoint response necessarily makes sense with some of the claims 
>>>> being JSON objects themselves.
>>>> I suppose it is something that we could add as an option if someone 
>>>> can describe a serialization.
>>>> The default response should remain JSON for the user Info endpoint.
>>>
>>> If the default response should remain JSON, are we going to have in 
>>> the security section a comment saying RPs running as Javascript 
>>> clients SHOULD NOT call the UserInfo endpoint and execute its 
>>> results to deserialize the JSON objects?  Do you agree that would be dangerous?
>>
>> Yes. Use json_parse.js or json-sans-eval like JSON parser which does 
>> not do eval.
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



--
--Breno
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list